From a4f1af760e5f48eace1070239af4c01b1676e0b1 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Sat, 21 Sep 2019 12:02:14 +0200 Subject: [PATCH] retire old-style firewalling for mirrormaster sshing to the mirror nodes --- hieradata/common.yaml | 3 --- modules/ferm/templates/defs.conf.erb | 4 +--- modules/ferm/templates/me.conf.erb | 8 -------- 3 files changed, 1 insertion(+), 14 deletions(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 17253c3f6..e4990b1f8 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -59,9 +59,6 @@ roles: # XXX - ONLY used by ferm templates/defs.conf.erb - mailly.debian.org - muffat.debian.org - mirrormaster: - # XXX - used by ferm templates/defs.conf.erb - - melartin.debian.org muninmaster: # XXX - used by ferm templates/defs.conf.erb - menotti.debian.org diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb index 365fdc8a4..08beaa0eb 100644 --- a/modules/ferm/templates/defs.conf.erb +++ b/modules/ferm/templates/defs.conf.erb @@ -24,7 +24,7 @@ allnodeinfo = scope.lookupvar('deprecated::allnodeinfo') roles = scope.lookupvar('deprecated::roles') - %w{mailrelay nagiosmaster muninmaster postgres_backup_server syncproxy security_master ftp_master historical_master ports_master mirrormaster}.each do |role| + %w{mailrelay nagiosmaster muninmaster postgres_backup_server syncproxy security_master ftp_master historical_master ports_master}.each do |role| rolehost[role] = [] roles[role].each do |node| next unless allnodeinfo.has_key?(node) and allnodeinfo[node].has_key?('ipHostNumber') @@ -65,8 +65,6 @@ @def $HOST_PORTSMASTER_V6 = (<%= scope.function_filter_ipv6([rolehost['ports_master']]).uniq.join(' ') %>); @def $HOST_ARCHIVEMASTER_V4 = (<%= scope.function_filter_ipv4([rolehost['historical_master']]).uniq.join(' ') %>); @def $HOST_ARCHIVEMASTER_V6 = (<%= scope.function_filter_ipv6([rolehost['historical_master']]).uniq.join(' ') %>); -@def $HOST_MIRRORMASTER_V4 = (<%= scope.function_filter_ipv4([rolehost['mirrormaster']]).uniq.join(' ') %>); -@def $HOST_MIRRORMASTER_V6 = (<%= scope.function_filter_ipv6([rolehost['mirrormaster']]).uniq.join(' ') %>); @def $HOST_SYNCPROXY_V4 = (<%= scope.function_filter_ipv4([rolehost['syncproxy']]).uniq.join(' ') %>); @def $HOST_SYNCPROXY_V6 = (<%= scope.function_filter_ipv6([rolehost['syncproxy']]).uniq.join(' ') %>); # syncproxy.au syncproxy2.eu syncproxy3.eu syncproxy4.eu diff --git a/modules/ferm/templates/me.conf.erb b/modules/ferm/templates/me.conf.erb index 072c2c08a..6bd95df6b 100644 --- a/modules/ferm/templates/me.conf.erb +++ b/modules/ferm/templates/me.conf.erb @@ -41,14 +41,6 @@ if should_restrict then ssh6allowed << %w{$HOST_DEBIAN_V6} end - if scope.function_has_role(['debian_mirror']) or - scope.function_has_role(['security_mirror']) or - scope.function_has_role(['debug_mirror']) or - scope.function_has_role(['historical_mirror']) or - scope.function_has_role(['syncproxy']) then - ssh4allowed << '$HOST_MIRRORMASTER_V4' - ssh6allowed << '$HOST_MIRRORMASTER_V6' - end if scope.function_has_role(['debian_mirror']) or scope.function_has_role(['syncproxy']) then ssh4allowed << '$HOST_SYNCPROXY_V4' -- 2.20.1